The threat landscape shows how adversaries operate. Vulnerability research shows which weaknesses they can exploit. But the clearest view of OT cybersecurity risk often comes from the places where theory meets reality. The “frontlines” of ICS cybersecurity are not limited to incident response investigations. They include the full range of work Dragos performs across real industrial environments: cybersecurity assessments, red team exercises, tabletop exercises, threat hunting, along with real-world OT telemetry from the Dragos Platform and Neighborhood Keeper. That work comes together through the Dragos Intelligence Fabric, which connects adversary intelligence, vulnerability research, frontline services experience, and OT telemetry. No single source provides a complete view of OT risk. Incident response shows what happens when something went wrong. Assessments and architecture reviews show where environments are exposed. Penetration tests show how those weaknesses can be used. Tabletop exercises show whether organizations can detect, communicate, contain, and recover when operations are affected.
Viewed together through the Dragos Intelligence Fabric, these frontline findings highlight that adversaries gain access through exposed systems, weak credentials, remote pathways, and trusted connections. They move through systems that support operations, not always the control systems themselves. And in too many environments, defenders lack the visibility, architecture, or response readiness to determine what happened before operations are affected.
The lessons that follow are organized around the SANS Five ICS Cybersecurity Critical Controls. These are the controls that directly address the conditions repeatedly observed in real industrial environments.
The first lesson is this: OT incident response often begins with uncertainty. Something in the physical environment is not behaving as expected, and the organization needs to determine whether the cause is cyber, mechanical, process-related, or some combination of factors. OT/ICS incident response planning should be built around operational outcomes: Loss of View, Loss of Control, Loss of Availability, questionable telemetry, and recovery when systems cannot immediately be trusted. The response plan matters, but the ability to see what happened too.
In 2025, Dragos incident response cases were initiated after malware in 23 percent of cases and ransomware in another 23 percent. The largest category was unexplained operational issues, which accounted for 30 percent of cases. Those operational issues included inconsistent values, hardware failures, and other anomalies that asset owners could not initially explain because the data needed for root cause analysis had not yet been collected.
Most incidents resulted in at least a one-week outage, and the longest Dragos recovery in 2025 lasted approximately three weeks. The cost of missing visibility is not limited to slower investigation. It can result in extended downtime, delayed recovery, and reduced confidence in the ability to safely return systems to normal operation.
Architecture shapes the radius of an intrusion. Poor IT/OT network segmentation remained the most common architectural weakness, appearing in 81 percent of Dragos Services reports. Dragos also found that 42 percent of reports included at least one major finding related to defensible architecture. When environments are flat, over-permissive, or connected through poorly governed pathways, adversaries have fewer barriers once they gain access.
Observations from across the Dragos Intelligence Fabric reveal third-party and downstream service providers, as well as managed security partners, that introduced ingress points into victim networks. Those risks are compounded by poor password hygiene, readable credential storage, and unnecessary exposure of remote access. Adversaries do not need to begin in OT to affect OT. They need a path from initial access to systems that support, connect to, or influence operations.
Visibility is part of that architecture. A segmented environment that defenders cannot observe still leaves major gaps. Defensible architecture should create controlled pathways, but those pathways also need monitoring so defenders can see when trusted access becomes suspicious movement.
ICS visibility and network monitoring are the foundation for every other control. Adversaries increasingly operate through legitimate tools, credentials, and system interactions. In OT environments, that can look like normal administration, troubleshooting, or engineering activity unless defenders understand the asset, communication, and the operational context. The problem is that OT telemetry is transient. If network traffic, system interactions, and asset state changes were not collected at the time of the event, the evidence needed to answer the question may already be lost.
The Year in Review cited substantial deficiencies in OT and ICS visibility and monitoring in 46 percent of architecture reviews. Network penetration tests revealed similar detection gaps, with 56 percent unable to identify adversary activity using native administration tools. Without visibility into OT communications and asset behavior, defenders are forced to guess whether cyber activity is involved.
Visibility also showed up as a readiness gap in tabletop exercises. Dragos observed that 88 percent of organizations struggled with detection, 94 percent struggled with containment, and 82 percent struggled with incident response plan activation. Dragos also observed that 82 percent of asset owners lacked clear criteria for when an operational anomaly should trigger a cybersecurity investigation.
Secure remote access is not just an authentication control. It is a way to govern and observe the pathways adversaries repeatedly abuse. Vendors, engineers, operations, and support teams depend on secure remote access to keep operations running. The important point is not that remote access exists. It is that remote access often reaches systems that influence operations.
A vendor tunnel, jump host, or VPN pathway may begin outside OT, but can lead toward engineering workstations, historians, control servers, or other systems that support physical processes. That makes visibility into remote sessions essential. Defenders need to know who connected, from where, to what system, what they did, and whether that activity aligns with normal operation use.
Insights from across the Dragos Intelligence Fabric consistently demonstrate that remote access remains one of the most persistent sources of risk. In 2025, 49 percent of Dragos Services reports included elevated findings related to remote access, and 53 percent identified internet-facing systems. The report also notes that ransomware and commodity malware incidents exploited well-known weaknesses, including shared credentials, lack of MFA, poor credential storage, and exposed management interfaces.
Risk-based vulnerability management in OT only works when it’s connected to asset context and operational consequence. It asks whether a weakness is exposed, reachable, tied to an operationally critical asset, or used by adversaries in the wild. Visibility determines whether that decision process works. Without accurate asset inventories and insight into how systems communicate, defenders cannot reliably determine which vulnerabilities require immediate action, which can be mitigated through segmentation and access control, and which do not meaningfully reduce operational risk even when remediated.
In 2025, 80 percent of services reports included a finding related to risk-based vulnerability management, while fewer than 5 percent could identify end-of-life or unsupported assets. That distinction matters. It is not simply that OT environments are old. The larger issue is limited visibility, incomplete asset inventories, and insufficient context to apply compensating controls when patching is delayed or impractical.
The lesson from across the Dragos Intelligence Fabric, including insights from incident response, assessments, penetration tests, and tabletop exercises, is hat not every organization falls short in the same way. It is that the same conditions repeatedly determine whether an event becomes manageable or disruptive.
Adversaries exploit exposed systems. Weak architecture lets them move. Limited visibility impedes detection. Poorly governed remote access gives them a path. Vulnerability management without asset context leaves defenders chasing the wrong work.
The Dragos 2026 OT/ICS Cybersecurity Year in Review provides the full frontline view: the incidents, assessments, exercises, and defensive gaps shaping OT cybersecurity. Download the full report to see how these lessons apply across industries and where security teams should focus next.